Symantec: China Main Source of Targeted Attacks

A new report from Symantec's MessageLabs analyzed targeted attacks this month and found that nearly a third originate from senders in China.

A new report from Symantec names China as the world's primary source of
targeted malware the month of March.
The high stakes of such attacks
were brought into focus for many earlier this year with the Aurora
attack on Google and dozens of other companies. According
to Symantec (PDF), while most of the malware (36.6 percent) came from the United States in terms of mail server location,
an analysis of the sender's IP address put the attacker's location in China 28.2 percent of the time,
followed by Romania (21.1 percent) and then the United States (13.8 percent).

"When considering the true location
of the sender rather than the location of the e-mail server, fewer attacks are
actually sent from North America than it would at first seem," said Paul Wood,
intelligence senior analyst with Symantec's MessageLabs, in a statement. "A
large proportion of targeted attacks are sent from legitimate webmail accounts
which are located in the U.S. and therefore, the IP address of
the sending mail server is not a useful indicator of the true origin of the
attack. Analysis of the sender's IP address, rather than the IP address of the
e-mail server reveals the true source of these targeted attacks."

Symantec found that the top
five targeted roles are: Director, Senior Official, Vice President,
Manager, and Executive Director, and the individuals that receive the most
targeted malware are typically responsible for foreign trade and defense policy
involving Asian countries.
Mikko Hypponen, chief researcher
officer at F-Secure, noted in a conversation with eWEEK that targeted attacks
are often preceded by real-world espionage where the hackers dig
into the backgrounds of their targets, searching for information such as where
they live, what language they speak and what information they have access to.
"Who are their colleagues? What
area are they working (in)? What kind of computers are they using, what kind of
security systems they have in place...once you have all that information, then
you can launch the actual attacks," he said.
According to Symantec, the city
Shaoxing in China seems to be a major
source for attacks, accounting for 21.3 percent. Taipei in Taiwan and London in the U.K. accounted for 16.5 percent and
14.8 percent, respectively.
Symantec's analysis found the most
common file types attached to malicious e-mails are .XLS and .DOC, though the most dangerous file
type is .RAR files, which are a proprietary compressed archive format. .XLS and
.DOC file types each accounted for 15.4
percent of file attachments in e-mail in March.
The most compromised file type for
the month were encrypted .RAR files, which accounted for roughly 1 in 312
malicious files attached to e-mails. While encrypted .RAR files are relatively
uncommon, Symantec reported that 96.8 percent attached to e-mails were found to
be malicious.
"By comparison, unencrypted .RAR
files are rarely exploited and occur in 1.1 percent of e-mails," Wood said.
"Although they are more common than encrypted .RAR files, they are far less
likely to be seen attached to malicious e-mail."
The .EXE file type is the most
likely to arouse suspicion when attached to an e-mail, however, in March
executable file types accounted for just 6.7 percent of files attached to e-mail
and were found to be compromised 15 percent of the time. The most common file
extensions, .XLS, .DOC, .ZIP and .PDF, as attachments, were the least likely to
be infected, due to the sheer number of e-mails using them as attachments,
Symantec reported.
These attacks often come through
spoofed e-mails with all the calling cards of legitimate messages.
"In many cases these e-mails are
very convincing...talking about projects by numbers and codenames, talking about
highly specific details that the person is working with and they have an
attachment...which when opened will actually show you a real file which is again
relevant in most cases, but at the same time it will drop an exploit through a
backdoor," Hypponen explained.